Moderated Sessions improvements

constants.go

@@ -643,6 +643,10 @@ const (
 
 	// EnvSSHSessionInvited is an environment variable listning people invited to a session.
 	EnvSSHSessionInvited = "TELEPORT_SESSION_JOIN_MODE"
+
+	// EnvSSHSessionDisplayParticipantRequirements is set to true or false to indicate if participant
+	// requirement information should be printed.
+	EnvSSHSessionDisplayParticipantRequirements = "TELEPORT_SESSION_PARTICIPANT_REQUIREMENTS"
 )
 
 const (

docs/pages/access-controls/reference.mdx

@@ -243,12 +243,12 @@ that are more appropriately scoped.
 
 ### Role versions
 
-There are currently two supported role versions: `v3` and `v5`. `v5` roles are
+There are currently three supported role versions: `v3`, `v4` and `v5`. `v4` and `v5` roles are
 completely backwards-compatible with `v3`, the only difference lies in the
 default allow labels which will be applied to the role if they are not
-explicitly set.
+explicitly set. Additionally, `v5` is required to use [Moderated Sessions](./guides/moderated-sessions.mdx).
 
-Label              | `v3` Default   | `v5` Default
+Label              | `v3` Default   | `v4` and `v5` Default
 ------------------ | -------------- | ---------------
 `node_labels`       | `[{"*": "*"}]` if the role has any logins, else `[]` | `[]`
 `app_labels`        | `[{"*": "*"}]` | `[]`

integration/integration_test.go

@@ -205,6 +205,7 @@ func TestIntegrations(t *testing.T) {
 	t.Run("TwoClustersTunnel", suite.bind(testTwoClustersTunnel))
 	t.Run("UUIDBasedProxy", suite.bind(testUUIDBasedProxy))
 	t.Run("WindowChange", suite.bind(testWindowChange))
+	t.Run("SSHTracker", suite.bind(testSSHTracker))
 }
 
 // testAuditOn creates a live session, records a bunch of data through it
@@ -789,6 +790,38 @@ func testUUIDBasedProxy(t *testing.T, suite *integrationTestSuite) {
 	require.NoError(t, err)
 }
 
+// testSSHTracker verifies that an SSH session creates a tracker for sessions.
+func testSSHTracker(t *testing.T, suite *integrationTestSuite) {
+	ctx := context.Background()
+	teleport := suite.newTeleport(t, nil, true)
+	defer teleport.StopAll()
+
+	site := teleport.GetSiteAPI(Site)
+	require.NotNil(t, site)
+
+	personA := NewTerminal(250)
+	cl, err := teleport.NewClient(ClientConfig{
+		Login:   suite.me.Username,
+		Cluster: Site,
+		Host:    Host,
+	})
+	require.NoError(t, err)
+	cl.Stdout = personA
+	cl.Stdin = personA
+	personA.Type("\aecho hi\n\r")
+	go cl.SSH(ctx, []string{}, false)
+
+	condition := func() bool {
+		// verify that the tracker was created
+		trackers, err := site.GetActiveSessionTrackers(ctx)
+		require.NoError(t, err)
+		return len(trackers) == 1
+	}
+
+	// wait for the tracker to be created
+	require.Eventually(t, condition, time.Minute, time.Millisecond*100)
+}
+
 // testInteractive covers SSH into shell and joining the same session from another client
 // against a standard teleport node.
 func testInteractiveRegular(t *testing.T, suite *integrationTestSuite) {

lib/auth/session_access.go

@@ -17,6 +17,7 @@ limitations under the License.
 package auth
 
 import (
+	"fmt"
 	"regexp"
 	"strings"
 
@@ -36,17 +37,27 @@ import (
 // that is harder to debug in the case of misconfigured policies or other error and are harder to intuitively follow.
 // In the real world, the number of roles and session are small enough that this doesn't have a meaningful impact.
 type SessionAccessEvaluator struct {
-	kind       types.SessionKind
-	policySets []*types.SessionTrackerPolicySet
+	kind        types.SessionKind
+	policySets  []*types.SessionTrackerPolicySet
+	isModerated bool
 }
 
 // NewSessionAccessEvaluator creates a new session access evaluator for a given session kind
 // and a set of roles attached to the host user.
 func NewSessionAccessEvaluator(policySets []*types.SessionTrackerPolicySet, kind types.SessionKind) SessionAccessEvaluator {
-	return SessionAccessEvaluator{
-		kind,
-		policySets,
+	e := SessionAccessEvaluator{
+		kind:       kind,
+		policySets: policySets,
 	}
+
+	for _, policySet := range policySets {
+		if len(e.extractApplicablePolicies(policySet)) != 0 {
+			e.isModerated = true
+			break
+		}
+	}
+
+	return e
 }
 
 func getAllowPolicies(participant SessionAccessContext) []*types.SessionJoinPolicy {
@@ -102,8 +113,13 @@ func (ctx *SessionAccessContext) GetResource() (types.Resource, error) {
 	return nil, trace.BadParameter("resource unsupported")
 }
 
+// IsModerated returns true if the session needs moderation.
+func (e *SessionAccessEvaluator) IsModerated() bool {
+	return e.isModerated
+}
+
 func (e *SessionAccessEvaluator) matchesPredicate(ctx *SessionAccessContext, require *types.SessionRequirePolicy, allow *types.SessionJoinPolicy) (bool, error) {
-	if !e.matchesKind(require.Kinds) || !e.matchesKind(allow.Kinds) {
+	if !e.matchesKind(allow.Kinds) {
 		return false, nil
 	}
 
@@ -209,6 +225,39 @@ func (e *SessionAccessEvaluator) hasPolicies() bool {
 	return false
 }
 
+// Generate a pretty-printed string of precise requirements for session start suitable for user display.
+func (e *SessionAccessEvaluator) PrettyRequirementsList() string {
+	s := new(strings.Builder)
+	s.WriteString("require all:")
+
+	for _, policySet := range e.policySets {
+		policies := e.extractApplicablePolicies(policySet)
+		if len(policies) == 0 {
+			continue
+		}
+
+		fmt.Fprintf(s, "\r\n   one of (%v):", policySet.Name)
+		for _, require := range policies {
+			fmt.Fprintf(s, "\r\n    - %vx %v with mode %v", require.Count, require.Filter, strings.Join(require.Modes, " or "))
+		}
+	}
+
+	return s.String()
+}
+
+// extractApplicablePolicies extracts all policies that match the session kind.
+func (e *SessionAccessEvaluator) extractApplicablePolicies(set *types.SessionTrackerPolicySet) []*types.SessionRequirePolicy {
+	var policies []*types.SessionRequirePolicy
+
+	for _, require := range set.RequireSessionJoin {
+		if e.matchesKind(require.Kinds) {
+			policies = append(policies, require)
+		}
+	}
+
+	return policies
+}
+
 // FulfilledFor checks if a given session may run with a list of participants.
 func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContext) (bool, PolicyOptions, error) {
 	supported, err := e.supportsSessionAccessControls()
@@ -227,13 +276,14 @@ func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContex
 	// We need every policy set to match to allow the session.
 policySetLoop:
 	for _, policySet := range e.policySets {
-		if len(policySet.RequireSessionJoin) == 0 {
+		policies := e.extractApplicablePolicies(policySet)
+		if len(policies) == 0 {
 			continue
 		}
 
 		// Check every require policy to see if it's fulfilled.
 		// Only one needs to be checked to pass the policyset.
-		for _, requirePolicy := range policySet.RequireSessionJoin {
+		for _, requirePolicy := range policies {
 			// Count of how many additional participant matches we need to fulfill the policy.
 			left := requirePolicy.Count
 

lib/auth/session_access_test.go

@@ -110,6 +110,25 @@ func failCountStartTestCase(t *testing.T) startTestCase {
 	}
 }
 
+func succeedDiscardPolicySetStartTestCase(t *testing.T) startTestCase {
+	hostRole, err := types.NewRole("host", types.RoleSpecV5{})
+	require.NoError(t, err)
+
+	hostRole.SetSessionRequirePolicies([]*types.SessionRequirePolicy{{
+		Filter: "contains(user.roles, \"host\")",
+		Kinds:  []string{string(types.KubernetesSessionKind)},
+		Count:  2,
+		Modes:  []string{"peer"},
+	}})
+
+	return startTestCase{
+		name:        "succeedDiscardPolicySet",
+		host:        hostRole,
+		sessionKind: types.SSHSessionKind,
+		expected:    true,
+	}
+}
+
 func failFilterStartTestCase(t *testing.T) startTestCase {
 	hostRole, err := types.NewRole("host", types.RoleSpecV5{})
 	require.NoError(t, err)
@@ -154,6 +173,7 @@ func TestSessionAccessStart(t *testing.T) {
 		successStartTestCase(t),
 		failCountStartTestCase(t),
 		failFilterStartTestCase(t),
+		succeedDiscardPolicySetStartTestCase(t),
 	}
 
 	for _, testCase := range testCases {

lib/client/api.go

@@ -353,6 +353,10 @@ type Config struct {
 
 	// Invited is a list of people invited to a session.
 	Invited []string
+
+	// DisplayParticipantRequirements is set if debug information about participants requirements
+	// should be printed in moderated sessions.
+	DisplayParticipantRequirements bool
 }
 
 // CachePolicy defines cache policy for local clients
@@ -2106,7 +2110,7 @@ func (tc *TeleportClient) runShell(ctx context.Context, nodeClient *NodeClient,
 	env := make(map[string]string)
 	env[teleport.EnvSSHJoinMode] = string(mode)
 	env[teleport.EnvSSHSessionReason] = tc.Config.Reason
-
+	env[teleport.EnvSSHSessionDisplayParticipantRequirements] = strconv.FormatBool(tc.Config.DisplayParticipantRequirements)
 	encoded, err := json.Marshal(&tc.Config.Invited)
 	if err != nil {
 		return trace.Wrap(err)